Re: [squid-users] https_port not correctly sending ssl cert information?

2021-05-11 Thread Dan Steen 
great!  i'll give it a try and report back.  thanks so much!

On Tue, May 11, 2021, at 10:03 PM, squ...@treenet.co.nz 
 wrote:
> Oh, I see. With that simple config the issue has to be lack of cert 
> chain support in GnuTLS. Simply rebuilding using --with-openssl should 
> resolve it.
> 
> Amos
> 

Dan Steen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

2021-05-11 Thread squid3 
Oh, I see. With that simple config the issue has to be lack of cert 
chain support in GnuTLS. Simply rebuilding using --with-openssl should 
resolve it.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

2021-05-11 Thread Dan Steen 
Hi Amos!

Thanks for the response!  I put my full config in that gist 
(https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b) if that 
helps.  Is there something else that would be helpuful to see?  

Thanks!

On Tue, May 11, 2021, at 9:16 PM, ‪Amos Jeffries‬ wrote:
> The main issue you are having is that the old version had no TLS/1.3 support. 
> The newer squid have some, but not enough for what you are doing.
> 
> Switching the build from GnuTLS to OpenSSL may work a little better. But 
> without details of your config it is hard to be certain.
> 
> Amos
> 
> 
>  Original message 
> From: Dan Steen 
> Date: Wed, 12 May 2021, 10:06
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] https_port not correctly sending ssl cert information?
>> Hi!,
>> 
>> I've recently been trying to update my version of squid from 4.0.20 to 
>> something more modern (4.13), but I'm having issues with my TLS enabled 
>> proxy not returning certificates correctly (it seems).   Specifically, when 
>> I try and run the following curl (url replaced to protect the innocent):
>>  
>> curl -vvI  --proxy https://test.example.com:5000 
>>  
>> https://google.com
>> 
>> 
>> I get the following result:
>> 
>> *   Trying 167.99.53.100:5000...
>> * Connected to test.example.com port 5000
>> * ALPN, offering http/1.1
>> * successfully set certificate verify locations:
>> *  CAfile: /etc/ssl/certs/ca-certificates.crt
>> *  CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
>> * TLSv1.3 (IN), TLS handshake, Certificate (11):
>> * TLSv1.3 (OUT), TLS alert, unknown CA (560):
>> * SSL certificate problem: unable to get local issuer certificate
>> * Closing connection 0
>> curl: (60) SSL certificate problem: unable to get local issuer certificate
>> 
>> This is different then what I get for my old 4.0.20 server:
>> 
>> * Connected to test.example.com port 3128 (#0)
>> * successfully set certificate verify locations:
>> *  CAfile: /etc/ssl/certs/ca-certificates.crt
>> *  CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> * Proxy certificate:
>> *  subject: CN=*.example.com
>> *  start date: Apr  5 21:02:06 2021 GMT
>> *  expire date: May  7 21:02:06 2022 GMT
>> *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
>> *  SSL certificate verify ok.
>> 
>> 
>> But the config and certs are exactly the same!  I've pasted the config, 
>> output of squid -v, and cert information here:  
>> https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b
>> 
>> One difference between the two that I noticed is that the old version is 
>> compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the 
>> new version only has --with-gnutls.  Would that be the issue?  I appreciate 
>> the help!
>> 
>> Thanks!
>> Dan Steen
>> 
>> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 

Dan Steen
Founder, CTO
*MirageID*
_...@mirageid.com _
443-204-9478
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port not correctly sending ssl cert information?

2021-05-11 Thread Dan Steen 
Hi!,

I've recently been trying to update my version of squid from 4.0.20 to 
something more modern (4.13), but I'm having issues with my TLS enabled proxy 
not returning certificates correctly (it seems).   Specifically, when I try and 
run the following curl (url replaced to protect the innocent):
 
curl -vvI  --proxy https://test.example.com:5000 
 
https://google.com

I get the following result:

*   Trying 167.99.53.100:5000...
* Connected to test.example.com port 5000
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

This is different then what I get for my old 4.0.20 server:

* Connected to test.example.com port 3128 (#0)
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Proxy certificate:
*  subject: CN=*.example.com
*  start date: Apr  5 21:02:06 2021 GMT
*  expire date: May  7 21:02:06 2022 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.

But the config and certs are exactly the same!  I've pasted the config, output 
of squid -v, and cert information here:  
https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b

One difference between the two that I noticed is that the old version is 
compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the new 
version only has --with-gnutls.  Would that be the issue?  I appreciate the 
help!

Thanks!
Dan Steen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users